Wazuh correlation rule for sysmon

[Əhsən Nağıyev]

Hi my aim is Ignore multiple notepad.exe terminations during system shutdown (when RuntimeBroker starts it), but alert on isolated / unexpected ones.I tried many rules but it didn't work please help me

<group name="sysmon,windows">

  <rule id="100031" level="2">
    <if_sid>61607</if_sid>
    <field name="win.eventdata.image">RuntimeBroker.exe</field>
    <description>Sistem sönməsi başladıldı.</description>
  </rule>

  <rule id="100030" level="0">
    <if_sid>61607</if_sid>
    <match>notepad.exe</match>
    <description>Notepad prosesi sonlandırıldı.</description>
  </rule>

  <rule id="100032" level="0" frequency="10" timeframe="6">
        <if_sid>61607</if_sid>
    <description>Sönmə zamanı Notepad-i görməzden gəl.</description>
  </rule>
   
  <rule id="100033" level="5">
    <if_sid>100030</if_sid>
    <if_matched_sid>!100032</if_matched_sid>
    <description>Notepad prosesi sonlandırıldı.</description>
  </rule>
 
</group>

[Bony V John]

Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

[Bony V John]

Hi,

Based on the rules you shared, it seems you are trying to ignore alerts from rule ID 100033 when rule ID 100030 is triggered. This means a Notepad process is terminated and should be considered part of a system shutdown by checking rule ID 100032.

However, there are some syntax and logic issues in your last two rules.

Issues with rule ID 100032

You have configured frequency and timeframe, but you are using the <if_sid> tag, which is not correct for this use case.
If your goal is to trigger this rule when rule ID 61607 is triggered 10 times within 6 seconds, you must use the <if_matched_sid> tag instead.

Also, the parent rule (61607) has a level of 0. For correlation rules to work correctly, the parent rule level should be 1 or greater, otherwise the rule will not trigger unless you modify the default rule.

Additionally, it seems you are trying to use rule ID 100032 to ignore the Notepad process closing alert during system shutdown, but there is no field in your rule that checks whether the system is actually shutting down.
If the log contains a field that indicates the system is shutting down, then that field can be used in the rule condition. Otherwise, this rule will not work as expected.

Issues with rule ID 100033

In rule ID 100033, you added ! inside the <if_matched_sid> tag. This will cause a syntax error.
The <if_matched_sid> tag only accepts rule IDs. Other symbols are not allowed.

You can refer to the Wazuh documentation for more details about the correct syntax for creating custom rules.

To assist you better, could you please share some sample logs that you are using to test these rules? This will allow us to reproduce and validate the behavior on our end.

To collect sample logs, you need to enable archive logs.

For taking logs from archives.json, first you need to enable log_all_json on Wazuh manager.

1. Enable log_all_json on Wazuh Manager

Update the ossec.conf file on the Wazuh manager to enable log_all_json.

2. Reproduce the Event

Trigger the event again to capture the relevant logs.

3. Extract Relevant Logs

Run the following command on the Wazuh manager:       

cat /var/ossec/logs/archives/archives.json | grep -iE "<related string>"

Replace <related string> with a relevant value from the log to filter the specific entries.

4. Disable log_all_json

After capturing the logs, disable log_all_json in the ossec.conf file to prevent excessive storage usage.

Share the sample log that you have taken from archives.json with us. This will help us to replicate it on our end and assist you better.

[Əhsən Nağıyev]

  My goal is to configure Wazuh so that I get alerts when the Notepad process is terminated under normal circumstances. However, if the termination is part of a system shutdown, I want those alerts to be ignored.

My intention is this: If you look at the logs within 10 seconds and see that the event ID is 1074 (meaning the computer has shut down) and there is also a log showing that Notepad has closed, then do not generate an alert. But in normal cases (when it’s just Notepad closing without a shutdown), an alert should be generated.

The log is the same when Notepad closes in both cases; there is no difference.

{"win":{"system":{"providerName":"User32","providerGuid":"{b0aa8734-56f7-41cc-b2f4-de228e98b946}","eventSourceName":"User32","eventID":"1074","version":"0","level":"4","task":"0","opcode":"0","keywords":"0x8080000000000000","systemTime":"2026-01-27T13:39:22.8974690Z","eventRecordID":"2083","processID":"476","threadID":"492","channel":"System","computer":"DESKTOP-AJ5NIH4","severityValue":"INFORMATION","message":"\"The process C:\\Windows\\System32\\RuntimeBroker.exe (DESKTOP-AJ5NIH4) has initiated the restart of computer DESKTOP-AJ5NIH4 on behalf of user DESKTOP-AJ5NIH4\\Ahsan for the following reason: Other (Unplanned)\r\n Reason Code: 0x0\r\n Shutdown Type: restart\r\n Comment: \""},"eventdata":{"param1":"C:\\\\Windows\\\\System32\\\\RuntimeBroker.exe (DESKTOP-AJ5NIH4)","param2":"DESKTOP-AJ5NIH4","param3":"Other (Unplanned)","param4":"0x0","param5":"restart","param7":"DESKTOP-AJ5NIH4\\\\Ahsan"}}}     

{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5770385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"5","version":"3","level":"4","task":"5","opcode":"0","keywords":"0x8000000000000000","systemTime":"2026-01-28T08:15:56.7060469Z","eventRecordID":"14232","processID":"3140","threadID":"4516","channel":"Microsoft-Windows-Sysmon/Operational","computer":"DESKTOP-AJ5NIH4","severityValue":"INFORMATION","message":"\"Process terminated:\r\nRuleName: -\r\nUtcTime: 2026-01-28 08:15:56.691\r\nProcessGuid: {eeacebe3-c5b5-6979-9d00-000000002500}\r\nProcessId: 1980\r\nImage: C:\\Windows\\System32\\notepad.exe\r\nUser: DESKTOP-AJ5NIH4\\Ahsan\""},"eventdata":{"utcTime":"2026-01-28 08:15:56.691","processGuid":"{eeacebe3-c5b5-6979-9d00-000000002500}","processId":"1980","image":"C:\\\\Windows\\\\System32\\\\notepad.exe","user":"DESKTOP-AJ5NIH4\\\\Ahsan"}}}

28 Ocak 2026 Çarşamba tarihinde saat 13:56:53 UTC+4 itibarıyla Bony V John şunları yazdı:

[Bony V John]

Hi,

It looks like these are two different events. Based on your use case, this correlation is not possible with the current Wazuh rule engine because it does not support correlating two separate events. In your case, one event is Event ID 5 and the other is Event ID 1074, so they are handled independently.

That said, in the upcoming Wazuh 5.0 release, the current rule engine is expected to be replaced with a newer and improved version, which should provide better correlation capabilities. Scenarios like this are more likely to be supported in future versions. For now, this type of correlation cannot be implemented with the existing engine.

In the meantime, you can refer to the Wazuh rule syntax documentation to understand what is possible with custom rules using the current rule engine.